For the sake of convenience, a simple P2P application like DC++ may be assumed, although I am aiming at a broader set involving torrents etc. too.

Peer A does a search for file qwerty.mp3, and then starts pulling the file, in pieces, from different Peers- B, C, D and E.

Now say Mr. C is the one who has shared this file amongst Peers, and he is a malicious peer and the file contains a malware/trojan etc.

Since the file is being downloaded in pieces from different Peers, it is unlikely that a standard Intrusion Detection system will be able to detect it since most of them involve signature-based detection techniques.
And most likely when the pieces are re-assembled at the system of Mr. A, his anti-virus will flag off a warning about the malicious content.

So, my question:
At the network level, what approach an admin may take so that innocent peers like A are protected from such situations?

Kindly do not suggest actions or measures relating to the end user. Whatever has to be done, must be done at the network level.

Please note that I am looking at this more from a research point of view and it is perfectly alright to not to point me towards existing techniques used in production environments but share links for research papers and give answers which tell of an open-ended techniques.

What protocol are you using for your peer-to-peer transfer? Is it inhouse or off-the-shelf? Also, have you considered a related case - a user simply shares malicious content with the filename of 'real' content?
–
randomdudeJul 25 '12 at 14:23

@randomdude I must consider all possible cases- for protocols, for inhouse transfer and off the shelf (I am not very sure of what is "off the shelf"), etc. Yes, a user may simply share malicious content. I think i covered this when i wrote "...and the file at his end contains a malware/ virus/ trojan etc.".
–
pnpJul 25 '12 at 14:38

Until you run qwerty.mp3 then it is harmless. What exactly is your question? The solution is to block Peer 2 Peer traffic as a network admin. The few useful uses can be approved by you on a case by case situation ( or simply worked around ) as those same cases have direct download solutions.
–
RamhoundJul 25 '12 at 16:07

@Ramhound "block P2P traffic" !! NO!!!! I have to deal with P2P traffic, and only P2P traffic, and all kinds of varieties of it. I am not looking for work arounds. In my estimate I need a (so as to say) P2P aware IDS- firewall (both or either)- and that is exactly what I asked...
–
pnpJul 25 '12 at 16:14

@pnp - Your estimate is wrong. You need security software, that is not a workaround, despite the fact you claim it is. As I already indicated until the file is ran, its harmless, use P2P software that doesn't auto-execute files and your safe.
–
RamhoundJul 26 '12 at 11:14

4 Answers
4

P2P traffic has in fact have directly impacted the performance of most of the IDS/IPS and there is a significant increase in the false positive. The issues lies with the behavior of P2P traffic which is lot alike malicious traffic.

For the second part of your question the most idealistic approach that can be adopted at network level is DPI (Deep packet inspection). The idea is to segregate P2P traffic from the normal traffic as much as possible, though DPI is not applicable on encrypted P2P traffic. In the next phase signatures are applied on this segregated P2P traffic for separating malicious for benign P2P traffic.

Thanks for your input. I have read that and have been following that work. Rather I got this question only after reading this and some other related papers. Although I must say that your suggestions for DPI will not be welcomed by those who advocate privacy !
–
pnpJan 17 '13 at 7:04

Agreed DPI will always have privacy concerns. You will find some interesting research articles on P2P botnet detection using P2P as C&C channels.
–
Ali AhmadJan 17 '13 at 13:48

Many P2P software will create hashes of each piece to prevent a malicious entity from modifying the pieces in-flight. When your P2P client gets a piece, it verifies it's hash. This will prevent one malicious entity modifying a piece of a valid file, but it won't help you if the file itself (qwerty.mp3) is malicious.

If the file itself is malicious, a simple solution is to just run an anti-virus scan against the final file, and see if there are any problems. This will satisfy your signature/anomaly based detection (depending on what the Anti-virus does)

Run an anti-virus?!?! I can't just suggest that as a solution to a project work!! Whatever I need to do, I must do as a network admin/designer -say use Open source firewall or use Snort and configure them for this specific scenario...
–
pnpJul 25 '12 at 15:04

So you want an overly complicate solution? You can always set up scans to run automatically when the P2P client finishes the download.
–
OleksiJul 25 '12 at 15:19

1

@pnp - Unless you compare the signature of the file to a known database of malicious files you can't know for sure its not malicious. Running an anti-virus is a perfectly valid solution.
–
RamhoundJul 25 '12 at 16:08

Perhaps you could run the p2p programs on a proxy, download the whole file (this is the first time you're going to see it and be able to fully virus scan it... the p2p transmission is irrelevant), then scan it and serve it to the user.

Easy way: web UI for people to search, request & download.
Hard way: intercept from p2p clients and pretend to be the only peer whilst in fact downloading from loads of other peers, not letting much file hit the downloader until you've scanned it

This is similar to IP fragmentation attack. By fragmenting IP datagram into smaller pieces, one kind of DOS attack is done, as far as I know. You can google it. This is the 4th result in google but OffensiveSecurity is generally one of the best in security issues.